How to mirror a Pointsec protected harddrive
Feb 6th, 2007 by Jesper Kråkhede
Even if encryption is a very good tool for protecting data it do tend to come in the way when doing Computer Forensics. Pointsec gladly has a way to login in so that you could read the harddrive decrypted without booting the operatingsystem. By pressing CTRL+F9 when you see the logon to Pointsec and then login you will be able to have it boot from a floppy. You will not notice any changes in Pointsec when pressing CTRL+F9 but the boot will take place on the floppy, and on floppy only. By using a bootdisk from www.guidancesoftware.com you could then start the DOS-version of Encase, set the computer up in Server mode, connect it with a networkcable directly to another computer(not via hub or switch) running Encase and from there start copying the harddisk. It takes about 6-12 hours so you are up for a wait.
You could also mount the drive using a writeblocker if you have loged on to another computer with pointsec that has access to the drive you are mirroring. I have not tested this, yet.
Rather late reply, but since I did not find an overwhelming amount of info about the stuff you write about here when I tried to, I’ll just add:
– When using Pointsec, another key combination is CTRL+F10, which will give you a boot menu with a selection of floppy, CD, harddisk, network (if found) and Windows PE.
– I’m not sure how you managed to get EnCase to read your Pointsec decrypted data however, since their Decryption Suite does not (yet?) support Pointsec. Ie, according to http://www.guidancesoftware.com/products/ee_modules.aspx.
– There are other options which are supposed to work:
a) to build a Windows/Bart PE with the Pointsec driver included, and use that for dumping the decrypted content to some other device, or
b) if the encrypted disk were set up to be allowed to use as a slave disk, you can add it as a slave to another PC with the same Pointsec setup, making the second PC decrypt your disk. Then start the mirroring.
I am a bit unclear in my post. You cannot break the encryption with this method. By Pressing CTRL+F9 (nothing happends on the screen) and then login you are able to mirror the disk without the encryption.
Other methods is to install Pointsec on another computer and attach the drive you are about to mirror to that computer and login to Pointsec.
I have tried the Decryption Suite and it works rather well if you have the passwords. If I remember correctly it can provide a brute force attack.